Hi > It sounds like you have (one or more ports of) ExtA port > forwarded to IntA and (one or more ports of) ExtB port > forwarded to IntB. You now want (one or more different ports > of) ExtB port forwarded to IntA and possibly (one or more > different ports of) ExtA port forwarded to IntB. > This will allow IntA to effectively be accessed via one port > range on ExtA and another port range of ExtB and possibly vice versa. No. There is no firewall or such in front. I DO have 2 public reachable Servers with 1 public IP each and a openVPN connection between them giving each 1 additional private IP. Now I want to make some services on server A accessable though the public IP of server B. (While they stay reachable on the public IP of server A.) To simplify things: The private openvpn IP of both servers is not used for anything else. Just the connection between these two servers. You can think of only making one service available - everything else will just duplicate iptables commands. > Let's see if I understand you correctly. (In addition to > what you already have) you now want ExtB:81 port forwarded to > IntA:<something> and associated reply traffic to go back out > ExtB, not the default of ExtA. This is nearly what I want: I want to forward ExtB:80 to be forwarded to IntA:80 and associated reply traffic to go back out ExtB, not default ExtA. (The client should not notice A at all.) B will not provide any own service at the ports in question. > Presuming this is correct, you can fairly easily do this if > you are willing to do something simple. If you will send the > traffic that you want to reply through the non default route > to a different IP or port, you can easily use tc to match the > traffic to use a different routing table and thus route out > the non default interface. What is tc and how is it set up ? > You can either use a different port or a different IP address > on the internal server(s). You need something to be > different between the traffic that comes in to the default > and non default routes so that you have an easy way to > identify the traffic and apply tc rules. Everything that comes on the private ip (openvpn ip) applies. That ip is not used for anything else. > Are you wanting to run similar services on both ExtA and > ExtB, and have them be redundant of each other? No. I need this setup for two things, one is hard to explain, so I will skip it, the other is easy: I need to transfer a service which cannot run on two servers in parallel from one host to another. The problem is, that clients are connecting all the time and do this by DNS. Now changing DNS needs some time to timeout the caches and I do have near by no controll over the dns servers. The TTL is two days. So I need the very same instance of one service to be reachable by two ips on two different servers (at two different providers). > Before I go in to tc rules, would this scenario suffice what > you are trying to do? Your scenario was much more than I need. You involved 4 systems (ext and int, A and B). I only have 2 and I will never need to do all this in two directions. In both my use cases, there is only a need to forward from B to A, never from A to B at the same time. Any help to starting points for the configuration commands is appreciated. Regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
